05-26-2011 12:30 PM - last edited on 05-26-2011 12:55 PM by shannons
I keep receiving every few minutes an alert message about a "web attack: malicious toolkit iframe injection 3", coming from 188.8.131.52, origin broadintel.com
I've difficulties understanding the detailed message. Here is its translation in English (I've a French NIS install): the network traffic incoming from 184.108.40.206 has a known attack signature. The attack is originated by \DEVICE\HARDDISKVOLUME2\PROGRAM FILES (X86)\NORTON ONLINE\ENGINE\220.127.116.11\CCSVCHST.EXE (then follows instructions how to disable receiving same messages again).
If I correctly understand, the attack should be originated by accessing a malicious or compromised web site redirecting to a page where the attacker tries to inject trojans on the PC.
Now, to my knowledge applications on the PC were not visiting such page, and looks application accessing the page was NIS itself, while I would expect here appearing something else (i.e. firefox, if web browser was the guilty app).
Any help from the community?
05-26-2011 12:43 PM - last edited on 05-26-2011 12:54 PM by shannons
I found the origin of the message: it is the MediaCoder application.
If launching the application (the CUDA transcoder version), the application checks on line for the license of the transcoder, and most probably the web site is compromised.
In fact, it is enough accessing broadinte.com from a web browser to get the same message from NIS.
- if asking about the site to Norton Safe Web, you get the message the site is safe with no risks at all
- the NIS error message says the attack is coming from the NIS proxy (?), without reporting the real application trying to access the incriminated web site